Countermeasure method in a microcircuit, microcircuit therefore and smart card comprising said microcircuit

ABSTRACT

A countermeasure method for a microcontroller that executes sequences of instructions. The instructions are executed according to a pipeline method. At least one waiting time is randomly introduced between two consecutive instructions and/or within at least one instruction. The method is implemented by the electronics of the microcontroller rather than by software addition.

This disclosure is based upon French Application No. 00/05531, filed onApr. 28, 2000 and International Application No. PCT/FR01/01196, filedApr. 18, 2001, the contents of which are incorporated herein byreference.

BACKGROUND OF THE INVENTION

The present invention relates to a countermeasure method in amicrocircuit.

It also relates to a microcircuit implementing the method and portablemedia of the smart card type having such a microcircuit.

It should be noted that a microcircuit for portable devices such assmart cards has an architecture formed around a processor (ormicroprocessor) comprising a controller and an arithmetic and logic unit(ALU) connected by a bus to memories, including a non-volatile programmemory which contains the sensitive data item or items (secret keys) ofa cryptography algorithm for example. The controller manages theinput/output signals I/O (instructions, addresses, data) and thearithmetic and logic unit performs arithmetic operations on the data oncommand of the controller.

Such microcircuits are used in smart cards for certain applications, forexample applications for accessing certain data banks, bankingapplications, remote charging applications, for example for television,petrol dispensing or passing through motorway tolls.

The invention is applicable most particularly to the security ofsensitive data in media such as smart cards. It concerns secret datamanipulated by the processor of the microcircuit and liable to pass overthe bus connecting the memories to this processor.

The invention is applicable to the security of secret information suchas the secret code of the user of a smart card or the electronic keysused in cryptographic calculation operations for the encryption and/orauthentication and/or electronic signing of messages.

The invention is applicable in particular in the case of theimplementation of secret key cryptography algorithms or of so-calledpublic key algorithms. Such algorithms are used in applications wherethe access to services or to data is strictly controlled.

Amongst the secret key cryptography algorithms there can be cited theDES (Data Encryption Standard) algorithm. Other secret key algorithmsexist, like the RC5 algorithm or the COMP128 algorithm. This list is ofcourse not exhaustive.

Amongst the public key cryptography algorithms there can be cited RSA(Rivest Shamir and Adelman), El Gamal, Schnorr, Fiat Shamir, or DSA orDSS.

Briefly and in general terms, the aim of these algorithms is to performcryptographic calculations from a host system (server, cash dispenser,etc.) and the secret key or public and secret keys contained in thecard, and to supply in return to the host system an encrypted message orto allow an authentication of the microcircuit (of the card), or to signmessages.

The entire security of these cryptography algorithms relies on the factof being able to keep secret the data which must remain so. In the caseof cryptographic algorithms, the secret key or keys cannot be deducedsolely from knowledge of the information exchanged between the card andthe outside world.

However, it has appeared that from external attacks, based on currentconsumptions or a differential current consumption analysis when thecryptography processor or the processor of a smart card performscalculation operations entailing the manipulation of secret data, suchmanipulations allow ill-intentioned third parties to find the secret keycontained in this card by carrying out attacks referred to as DPA(Differential Power Analysis) attacks.

The principle of these DPA attacks relies on the fact that the currentconsumption of the processor executing instructions varies according tothe data manipulated.

In particular, when an instruction executed by the processor requiresmanipulation of a data item bit by bit, there are two different currentprofiles depending on whether this bit is equal to “1” or “0”.Typically, if the processor is manipulating a “0”, there is at thatexecution instant a first amplitude of the consumed current and, if theprocessor is manipulating a “1”, there is a second amplitude of theconsumed current, different from the first.

Thus the DPA attack exploits the difference in the current consumptionprofile in the card during execution of an instruction according to thevalue of the bit manipulated. Simplified, the course of a DPA attackconsists in identifying one or more particular periods in theprogression of the algorithm comprising the execution of at least oneinstruction manipulating data items bit by bit; of plotting a very largenumber N of current consumption curves during this or these periods, onecurve per different message to which the algorithm is applied; ofpredicting, for each curve, the value taken by one bit of the data itemfor an assumption on a subkey, that is to say on at least part of thesecret key, which allows the prediction to be made; and of sorting thecurves according to the corresponding Boolean selection function: afirst bundle of curves is obtained for which the prediction is equal to“1” and a second bundle of curves is obtained for which the predictionis equal to “0”. By performing a differential analysis of the meancurrent consumption between the two bundles of curves obtained, aninformation signal DPA(t) is obtained.

If the subkey assumption is not true, each bundle in actual factcomprises as many curves corresponding to manipulation of a “1” ascurves manipulating a “0”. The two bundles are therefore equivalent interms of current consumption and the information signal is substantiallyzero. If the subkey assumption is true, one bundle actually comprisesthe curves corresponding to manipulation of a “1” and the other bundleactually comprises the curves corresponding to manipulation of a “0”:the information signal DPA(t) obtained is not zero: it comprisesconsumption peaks corresponding to manipulation by the processor of thebit on which the sort was based. These peaks have an amplitudecorresponding to the difference in consumption by the processordepending on whether it is manipulating a “1” or a “0”. Thus, gradually,it is possible to discover all or part of the secret key contained in amicrocircuit.

There are numerous algorithms for the execution of which the processoror an associated calculation unit (cryptoprocessor) has to performbit-by-bit data manipulations at certain moments.

This is the case in particular, as has been said, for cryptographicalgorithms. By analysing the current consumption during the execution ofthese bit-by-bit manipulations, it is possible to find the value of atleast certain bits of the manipulated data item. The knowledge of thisdata item can provide information on intermediate results obtainedduring execution of the cryptography algorithm, which in their turn canmake it possible to find at least some of the bits of the secret keyused.

The applicant realised that such an attack can be carried out fromobserving the current consumption variations related to transitions ofbinary values on the microcircuit bus. This is because the applicantobserved that the change of state between two bits of the samesignificance from one data item to another would cause a higherconsumption than in the case where there is no change of state. Thus,transitions leave a signature for the data which flow on the bus. Thissituation is of course very prejudicial where these data are secretdata.

SUMMARY OF THE INVENTION

The aim of the present invention is to solve this problem.

Its object is to protect the data on which bit-by-bit manipulations areperformed, by applying thereto a countermeasure, that is to sayinterference, so that analysis of the current consumption duringtransitions from one data item to the next passing over the bus revealsno information on these data items: the information signal DPA(t) willalways be the same in DPA attacks.

As claimed, the invention relates to a countermeasure method in amicrocircuit comprising a processor capable of performing operations,one of which consists in manipulating at least one secret data item, atleast one non-volatile memory containing the secret data item or items,and at least one working memory, said memories being connected by a busto said processor, principally characterised in that the methodcomprises the injection onto the bus of a number of random data itemsbetween data items originating from operations performed by theprocessor.

According to another characteristic, the method consists in activatingthe injection onto the bus of a number of random data items during aperiod during which the secret data item or items are being manipulated,and of inhibiting the injection of said random data items outside theseperiods.

According to another characteristic, the operation consisting inmanipulating a secret data item is implemented by a cryptographicalgorithm.

The cryptography algorithm can be a secret key algorithm.

This cryptography algorithm can alternatively be a public key algorithm.

The secret data item can be a personal identification code.

The invention also relates to a microcircuit for a portable device ofthe smart card type, comprising a processor capable of performingoperations, one of which consists in manipulating at least one secretdata item, at least one non-volatile memory comprising the secret dataitem or items, and at least one working memory, connected by a bus tosaid processor, principally characterised in that it comprises a randomdata generator, and a multiplexer comprising an input connected to theoutput of the random data generator which is connected to theinput/output bus of the processor in order to inject random data itemsonto this bus on command of the processor.

The random data generator is activated by a clock signal with afrequency higher than that of the processor.

The clock signal can be a multiple of the processor clock signal whichcan be generated internally (internally to the processor) or come fromoutside (from contact pads of the smart card in which the microcircuitis installed).

The microcircuit has a logic circuit capable of supplying said clocksignal which is a multiple of the processor clock signal.

When the microcircuit has a number of buses, the means for injectingrandom data items are implemented by a macro-instruction.

The invention also relates to a smart card, comprising a microcircuit ashas just been presented.

BRIEF DESCRIPTION OF THE DRAWINGS

Other particular features and advantages of the invention will emergeclearly from a reading of the description produced below and which isgiven by way of a non-limitative example and with reference to theaccompanying drawings in which:

-   -   FIG. 1 depicts a simplified architecture of a microcircuit        capable of implementing the method according to the invention;    -   FIGS. 2A to 2G depict the operating signals of the microcircuit;    -   FIG. 3 depicts a detailed implementation diagram of one        embodiment of the microcircuit according to the invention.

DETAILED DESCRIPTION

FIG. 1 depicts a simplified microcircuit, that is to say-only theelements necessary for understanding the invention.

In the case of an installation in a smart card, the microcircuit has thearchitecture of the micromodule of the card that is to say it has: amain processing unit 1 (called the processor) comprising a controller11, one or more buses for connecting the unit 1 to associated memoriesconsisting of at least one program memory M1 (non-volatile of ROM type),at least one working memory M2 (of RAM type), and at least oneelectrically programmable program memory M3 (of EEPROM type). Themicrocircuit can also have a calculation unit 2 (cryptoprocessor) forimplementing modular exponentiation calculations as is the case forexample in the case of execution of the RSA (Rivest Shamir Adelman)public key cryptographic algorithm.

For implementing the countermeasure method according to the invention,the microcircuit shown schematically in this FIG. 1 also has a randomnumber generator 3 activated by a clock signal H (FIG. 2) and amultiplexer 4 activated by a signal C controlling its output S. Themicrocircuit also has a system 5 for management of the informationflowing on the bus B (of the type of a multiplexer with two inputs el,e2 and one output s) controlled by the controller 11. In the case of aread from a memory, the system 5 makes it possible to directly connectthe arithmetic and logic unit 12 to the memories Ml, M2, M3; in the caseof a write to a memory the output of the multiplexer 4 goes onto the busB.

The controller 11 of the microcircuit can be associated with acryptographic operator 2 as already specified and manipulate one or moresecret data items.

For simplification, the case will be taken of a single manipulatedsecret data item (which is the case for example in the implementation ofa secret key algorithm or of a PIN code (Personal Identifier Code)).This data item is stored in a secure manner in the non-volatile programmemory M1 associated with the processor 11.

During execution of a cryptography operation or verification of theidentification code (PIN), the processor will, according to theinvention, perform one or more interrupts so as to inject random dataitems onto the bus (a bus over which the secret data items are thenliable to pass).

In fact, during the execution, initiated by the processor, of aninstruction which comprises for example the writing of a secret dataitem, the latter will then pass over the bus B in order to go into theworking memory M2 with a view to the processing to be performed withthis data item. A series of data items will consequently pass over thebus B for each operation executed; these data items are commands anddata “useful” for the processing performed. According to the method ofthe invention, the processor is capable of issuing an interrupt whichcan be triggered by the secret data manipulation program itself (in thiscase the cryptography program), having the aim of interrupting theexecution of the instruction in progress, of saving the context in theregisters and of triggering the insertion of random data items(generated by the generator 3) onto the bus B. The signal interruptingthe execution of the instruction in progress can be used as the controlsignal C for the multiplexer 4.

FIGS. 2A to 2G illustrate the operating signals of the microcircuit.

The processor clock signal CLK is depicted in FIG. 2A.

FIG. 2B illustrates an example of a clock signal H for controlling therandom generator 3.

A clock frequency H higher than the processor clock CLK is chosen sothat a number of random data items DA₁, DA_(n) can be injected betweenthe instant at which the execution of an instruction is interrupted andits resumption. These random data items are thus injected between dataitems transmitted by the bus B between these two instants. The aim ofthe random data items is to randomly reload or unload the bus.

The insertion of a number of data items makes it possible to obtain theexpected result.

A clock H faster than the processor clock CLK, for example a multiplethereof, is chosen so as to send at least two random data items.

The data items, whether commands or data to be processed, areillustrated on the graph of the bus in FIG. 2C.

FIG. 2D illustrates the progression of the execution of an instructionand its interruption upon receipt of the interrupt signal. Thisinterrupt makes it possible to generate the signal C controlling theoutput of the multiplexer, illustrated in FIG. 2E.

The write control signal issued by the processor is illustrated in FIG.2F.

FIG. 2G illustrates the data items DA generated by the random generator3.

FIG. 2E illustrates an example of a control signal C for activating themultiplexer 3. According to the example illustrated, when the signal Cis at 0, the multiplexer delivers at its output S the signal received onits input E1, and when the signal C is at 1, it delivers the datareceived on its input E2; this signal C is, according to this example,at 1 in the presence of an instruction execution interrupt issued by theprocessor.

The input E1 of the multiplexer 4 corresponds to the output data of theprocessor (ALU).

The data received on the input E2 are the data issued by the generator3.

FIG. 3 depicts a detailed example of one embodiment of the invention.

When the microcircuit is installed in a smart card it also has aninterface 13 for communication with the outside world depictedschematically in this figure. This interface comprises the contact padsof the smart card intended to receive the clock signal CLK, the voltagesignals V_(cc) and V_(GND), a reset to zero signal Reset, and theinput/output signals I/O. It also has an asynchronous transmission unit.

In the implementation which is going to be described, the clock H isobtained from a logic circuit 50 multiplying the clock signal CLK. Thiscircuit 50 consists for example of gates 51 in series introducing adelay. The delay can be T/4 (T being the period of the clock CLK), andmakes it possible in this case to inject at least two random data itemsbetween two data items passing over the bus.

The control C is generated by the processor programmed to that end.

A logic circuit could be provided to that end.

When the microcircuit has a number of buses, the functions which havejust been described can be implemented not by circuits, but by amacro-instruction provided to that end.

1. A countermeasure method in a microcircuit comprising a processorcapable of performing operations, one of which consists in manipulatingat least one secret data item, at least one non-volatile memorycontaining the secret data item, and at least one working memory, saidmemories being connected by a bus to said processor, said methodcomprising the step of injecting a plurality of random data items ontothe bus between data items originating from operations performed by theprocessor, in response to an interrupt generated during the manipulationof the at least one secret data item by the processor internally, torandomly reload or unload the bus.
 2. A countermeasure method in amicrocircuit according to claim 1, wherein a number of random data itemsare injected onto the bus during periods in which the secret data itemis being manipulated, and the injection of said random data items isinhibited outside these periods.
 3. A countermeasure method according toclaim 1, wherein the manipulation of a secret data item is implementedby a cryptographic algorithm.
 4. A countermeasure method according toclaim 3, wherein the cryptographic algorithm is a secret key algorithm.5. A countermeasure method according to claim 3, wherein thecryptographic algorithm is a public key algorithm.
 6. A countermeasuremethod according to claim 1, wherein the secret data item is a personalidentification code.
 7. A microcircuit for a portable device of thesmart card type, comprising a processor capable of performingoperations, one of which includes manipulating at least one secret dataitem, at least one non-volatile memory storing the secret data item, atleast one working memory, connected by a bus to said processor, andmeans for injecting a plurality of random data items onto said bus inresponse to an interrupt generated during the manipulation of the atleast one secret data item by the processor internally.
 8. Amicrocircuit for a portable device according to claim 7, wherein themeans for injecting random data items onto the bus comprise a randomdata generator and a multiplexer having an input connected to the outputof the random data generator and an output which is connected to thebus.
 9. A microcircuit for a portable device according to claim 8,wherein the random data generator is activated by a clock signal with afrequency higher than that of the processor.
 10. A microcircuit for aportable device according to claim 9, wherein the clock signal is amultiple of the processor clock signal.
 11. A microcircuit for aportable device according to claim 9, further including a logic circuitcapable of supplying said clock signal as a multiple of the processorclock signal.
 12. A microcircuit for a portable device according toclaim 7, wherein the microcircuit has a number of buses, and the meansfor injecting random data items are implemented by a macro-instruction.13. A smart card having a microcircuit according to claim 7.